|
|
| Problem Description |
Two format string vulnerabilities were discovered in ProFTPD. The
first exists when displaying a shutdown message containin the name of
the current directory. This could be exploited by a user who creates
a directory containing format specifiers and sets the directory as the
current directory when the shutdown message is being sent.
The second exists when displaying response messages to the cleint using
information retreived from a database using mod_sql. Note that mod_sql
support is not enabled by default, but the contrib source file has been
patched regardless.
The updated packages have been patched to correct these problems.
| Updated Packages |
Mandrakelinux 10.0
9754b8d4357f6843ed9f613d1daeca4e 10.0/RPMS/proftpd-1.2.9-3.3.100mdk.i586.rpm 9009783efdf84c2f92a988e6268f0631 10.0/RPMS/proftpd-anonymous-1.2.9-3.3.100mdk.i586.rpm cef8ec2cd6a3ec3c1e2b737221cbf97c 10.0/SRPMS/proftpd-1.2.9-3.3.100mdk.src.rpm
Mandrakelinux 10.0/AMD64
23c5bf83875f00ab5f554029c6aa9177 amd64/10.0/RPMS/proftpd-1.2.9-3.3.100mdk.amd64.rpm 80b34a20f86d090c0b1f19972f213af8 amd64/10.0/RPMS/proftpd-anonymous-1.2.9-3.3.100mdk.amd64.rpm cef8ec2cd6a3ec3c1e2b737221cbf97c amd64/10.0/SRPMS/proftpd-1.2.9-3.3.100mdk.src.rpm
Mandrakelinux 10.1
68039b1c9e9090856e8e93c11edc3c10 10.1/RPMS/proftpd-1.2.10-2.1.101mdk.i586.rpm 0952d937b0d8432eeb365ea07ba267b9 10.1/RPMS/proftpd-anonymous-1.2.10-2.1.101mdk.i586.rpm fafda6527589ac244691743278c5fb2f 10.1/SRPMS/proftpd-1.2.10-2.1.101mdk.src.rpm
Mandrakelinux 10.1/X86_64
1c37bda199475b68dae530c06285222f x86_64/10.1/RPMS/proftpd-1.2.10-2.1.101mdk.x86_64.rpm 4e2c3f72c6bc1710e82f81d919df4a0d x86_64/10.1/RPMS/proftpd-anonymous-1.2.10-2.1.101mdk.x86_64.rpm fafda6527589ac244691743278c5fb2f x86_64/10.1/SRPMS/proftpd-1.2.10-2.1.101mdk.src.rpm
Corporate Server 3.0
ed09c8c53d71e04c21ffaf1d647722c1 corporate/3.0/RPMS/proftpd-1.2.9-3.3.C30mdk.i586.rpm 5885b14d6817c11ef29c03aed76cb61f corporate/3.0/RPMS/proftpd-anonymous-1.2.9-3.3.C30mdk.i586.rpm b71bb2a58e0ac2d224c2fc332fbccdc7 corporate/3.0/SRPMS/proftpd-1.2.9-3.3.C30mdk.src.rpm
Corporate Server 3.0/X86_64
96d72d9503f3b7f86d7b162453f9f25c x86_64/corporate/3.0/RPMS/proftpd-1.2.9-3.3.C30mdk.x86_64.rpm eff847004e164052d380b9937ec641ee x86_64/corporate/3.0/RPMS/proftpd-anonymous-1.2.9-3.3.C30mdk.x86_64.rpm b71bb2a58e0ac2d224c2fc332fbccdc7 x86_64/corporate/3.0/SRPMS/proftpd-1.2.9-3.3.C30mdk.src.rpm
Mandriva Linux LE2005
62c9ac6c9f9cefe3ae26d00287430abd 10.2/RPMS/proftpd-1.2.10-9.1.102mdk.i586.rpm 77020ac5c67cf4ed616a4d858cbdca61 10.2/RPMS/proftpd-anonymous-1.2.10-9.1.102mdk.i586.rpm 332bc621d075cce043964146d874eefc 10.2/SRPMS/proftpd-1.2.10-9.1.102mdk.src.rpm
Mandriva Linux LE2005/X86_64
9077e02a37afaeef184095d5e32d4795 x86_64/10.2/RPMS/proftpd-1.2.10-9.1.102mdk.x86_64.rpm 6f7e7a053d2a8d3872efdd87dcf1227f x86_64/10.2/RPMS/proftpd-anonymous-1.2.10-9.1.102mdk.x86_64.rpm 332bc621d075cce043964146d874eefc x86_64/10.2/SRPMS/proftpd-1.2.10-9.1.102mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2390
http://secunia.com/advisories/16181
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.